Organizations strive to ensure secure and convenient user access to services or accounts. With the proliferation of identity theft and the growing emphasis on convenience, organizations are forced to find a balance between gathering enough identifying information to provide enough confidence in a user's identity and making the services or accounts accessible to users. Regulations and business rules may govern how much or what identifying information the user must provide depending upon the nature of the activity that is requested.
Many traditional systems often rely on authentication measure that include ownership factors (e.g., security token), knowledge factors (e.g., passwords or PINs), and/or inherence factors (e.g., fingerprints or retinal patterns). These authentication measures are often static or presented at pre-defined entry points. To varying degrees, authentication measures based on these factors can be easily circumvented and/or counterfeited. In addition, many systems simply rely on passwords and/or challenge responses at a single point to determine if access should be granted. Also, many systems sacrifice increased security measures for convenience of use. As such, techniques are needed that provide for improved security without sacrificing ease of use for the user.
In some embodiments, a method and system of user verification is described. A method may include observing behavioral characteristics of user interactions during a current session with a user through one of a plurality of channels; identifying, in real-time or near real-time, variations between the behavioral characteristics of the user interactions observed during the current session and a behavioral profile—previously developed based on prior usage patterns of the user through the plurality of channels; and implementing a challenge level to proceed in the session, the challenge level based on the variations between the behavioral characteristics and the behavioral profile.
In some embodiments, the method further includes receiving current device information. Identifying variations between the behavioral characteristics may include comparing the current device information with historical device information stored in the behavioral profile. The current device information may include at least one of the following: device location, device identification, channel usage on the current device, language, network, or internet service provider. Identifying variations may include estimating a distance between behavioral characteristics in the current session and the behavioral profile.
In some embodiments, the method further includes developing the behavioral profile by identifying typical usage patterns of behavior from historical usage data; calculating a distance between the behavioral characteristics of the current session and the behavioral profile; and validating the behavioral profile during the current session when the behavioral characteristics of the current session are within a predetermined distance from the typical usage patterns of the user.
In some embodiments, the behavioral profile includes the behavioral characteristics and the method further includes representing at least a portion of the behavioral characteristics as metrics.
In some embodiments, the behavioral profile includes the behavioral characteristics, and wherein the characteristics include at least one of: duration between keyboard strokes, intensity of keyboard presses, user central processing unit time, system central processing using time, an amount of time between user logons, the amount of character 10 during application execution, maximum size of a request, real user usage over time, virtual size of text segment, total number of ties opened during application execution, a number of major and minor page faults, a number of pages accessed, a measure of disk 10, elapsed time in seconds of the session, a number of signals received during application execution, a name of new user name changed during a session, a number of unique internet protocol addresses used per month, hour of day of the session, number of distinct pages accessed during the session, whether an application executed was executed on a remote network host, a number of computers used each month, a name of a remote network host if an application was executed on the remote network host, name of a local network host on which an application was executed, number of different users with a same internet protocol addresses, number of seconds since a last audit record for an application, or a number of times the user logs in per predetermined time period.
In some embodiments, the method further comprises adapting the behavioral profile based on the behavioral characteristics of the user interactions observed during the current session. The behavioral profile may initially be created using demographic data of users similar to the user. The method may further include removing or deemphasizing at least a portion of the demographic data from the behavioral profile as the user behavioral profile is adapted with the behavioral characteristics of the user interactions observed during the current session.
In some embodiments, the method further includes receiving a response to the challenge level, determining whether the response to the challenge level authenticates the user; and adapting the behavioral profile based on the behavioral characteristics that triggered the challenge level. The challenge level may include allowing the user to proceed with the session, collecting identifying information, noting suspicious activity, or disallowing the user to proceed with the session.
In some embodiments, the variations are indicative of a second user, and the method may further include determining that the second user is authorized by the user, and developing a behavioral profile for the second user.
The challenge level may be based on a risk level of requested activities of the session and the behavioral profile may be based on authentication logs, click trail data, and previous warnings indicating suspicious activity. The plurality of channels may include an internet portal, face to face contact, a mobile application, and an instant messaging system.
The behavioral profile may be developed using at least one of the following: Bayesian network, statistical-based anomaly detection techniques, one or more Markov models, knowledge-based techniques, neural networks, clustering and outlier detection, demographic analysis, genetic algorithms, or fuzzy logic techniques.
In other embodiments, a computer-implemented method of fraud prediction including passively identifying a user interacting through a channel during a session; retrieving, from a database, a predictive behavioral profile associated with the user, wherein the behavioral profile receives current user interactions with the channel and estimates a distance from prior usage patterns of the user; identifying, using a processor, in real-time or near real-time, variations between current usage patterns of the user and the behavioral profile; and implementing a challenge level to proceed in the session, the challenge level based on the variations between the behavioral characteristics and the user behavioral profile.
The computer-implemented method may further include developing the predictive behavioral profile using at least one of the following: a Bayesian network, a statistical-based anomaly detection technique, one or more Markov models, knowledge based techniques, neural networks, clustering and outlier detection, demographic analysis, genetic algorithms, or fuzzy logic techniques.
In other embodiments, a system for authenticating a user is disclosed. The system may include a channel communication module for engaging in one or more sessions with a user via a plurality of channels; an information gathering module for: monitoring user behavior during the one or more sessions and collecting demographic data relating to the user; means for developing a user behavioral profile based on the user behavior and demographic data, the user behavior profile including patterns of behavior that are typical of the user; the channel communication module for observing the user behavior during the session; a variation determining module for determining, in near real-time, variations between the user behavior observed during the session and the user behavioral profile; and a challenge module for implementing a challenge level to proceed with the session based on the variations; and adapting the user behavioral profile with the user behavior from the session.
While multiple embodiments are disclosed, still other embodiments will become apparent to those skilled in the art from the following detailed description, which shows and describes illustrative embodiments. As will be realized, embodiments of the present disclosure are capable of modifications in various aspects, all without departing from the scope of the present disclosure. Accordingly, the drawings and detailed description are to be regarded as illustrative in nature and not restrictive.
The drawings have not necessarily been drawn to scale. For example, the dimensions of some of the elements in the figures may be expanded or reduced to help improve the understanding of the embodiments of the present disclosure. Similarly, some components and/or operations may be separated into different blocks or combined into a single block for the purposes of discussion of some of the embodiments of the present disclosure. Moreover, while embodiments of the present disclosure are amenable to various modifications and alternative forms, specific embodiments have been shown by way of example in the drawings and are described in detail below. The intention, however, is not to limit the disclosure to the particular embodiments described. On the contrary, the disclosure is intended to cover all modifications, equivalents, and alternatives falling within the scope of the disclosure.